Restrict messages to authorized addresses or domains

By default, users in your domain can exchange email messages with any email address. However, in some cases, you might want to restrict the addresses or domains your users can exchange messages with. For example, a school might want to allow students to exchange messages with faculty members and other students, but not with people outside of the school.

To enable bounce messages (messages that inform your users that they've sent email to a restricted address), add to your list of allowed senders. Bounce messages come from this address. 

When you restrict addresses or domains:

  • Receiving—Users can only receive messages from authorized addresses or domains. Messages sent from unauthorized domains—or messages from listed domains that can't be verified using DomainKeys Identified Mail (DKIM) or Sender Policy Framework (SPF) records—are returned to the sender with a message about the restriction policy.
  • Sending—Users who send messages to an unauthorized domain get a bounce message explaining why their email was not sent.

Note: To allow internal messages between users within your organization (the set of domains associated with your company or school), check the Bypass this setting for internal messages box.

Email delivery restrictions apply to all users in the organizational unit. You can set up different restriction policies for different organizations.

You can also restrict chat messages to users within your own domain. Learn more about sharing options.

Set up message restrictions

Initial step: Go to Gmail advanced settings in the Google Admin console
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the left, select an organization.
  4. Scroll to the Restrict delivery setting, hover over the setting, and click Configure. If the setting is already configured, hover over the setting and click Edit or Add another.

  5. For each new setting, enter a unique name.

Go to the next step to configure the setting.

Step 1: Add addresses or domains that you want to allow

When you enter addresses or domain names, Gmail checks them against the From: part of the message header, not the envelope sender (or Return-Path section of the message header). Therefore, the From: sender must exactly match an address or domain you enter.

  1. Click Use existing or create a new one.
  2. Enter a name for the list in the Create new list field, and click Create.
  3. Hover over the name of the list, and then click Edit.
  4. Click Add.
  5. Enter email addresses or domain names, using a space or a comma to separate multiple entries.
  6. If the sending account doesn't have DKIM or SPF authentication, check the Do not require sender authentication box. If not checked, this sender's messages will still be rejected.


    To see a sender’s authentication configuration, use the Check MX tool, available at

  7. Click Save.
Step 2: (Optional) Create a customized rejection notice

You can enter a customized rejection notice, such as "Your email has been rejected because it violates organization policy."

Step 3: (Optional) Bypass this setting for internal messages

Check this box to bypass restrictions for email sent within your organization. The internal message must be authenticated (SPF/DKIM) for it to bypass the setting. Internal messages that aren't authenticated are rejected by this feature.

Final step: Add and save the setting
  1. Click Add setting or Save. Any new settings are added to the Gmail Advanced settings page.

  2. At the bottom, click Save.

It can take up to an hour for changes to take effect. You can track changes in the Admin console audit log.

Was this article helpful?
How can we improve it?